package org.apereo.cas.support.oauth.web.response.accesstoken;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.gen.ECKeyGenerator;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.dpop.DefaultDPoPProofFactory;
import com.nimbusds.oauth2.sdk.dpop.verifiers.DPoPIssuer;
import com.nimbusds.oauth2.sdk.dpop.verifiers.DPoPTokenRequestVerifier;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.util.singleuse.SingleUseChecker;
import com.nimbusds.openid.connect.sdk.Nonce;
import java.net.URI;
import java.text.ParseException;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import org.apereo.cas.AbstractOAuth20Tests;
import org.apereo.cas.authentication.CoreAuthenticationTestUtils;
import org.apereo.cas.services.DefaultRegisteredServiceProperty;
import org.apereo.cas.services.RegisteredServiceProperty;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.springframework.http.HttpMethod;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.web.servlet.ModelAndView;

@Tag("OAuth")
/* loaded from: input_file:org/apereo/cas/support/oauth/web/response/accesstoken/OAuth20DefaultAccessTokenResponseGeneratorTests.class */
class OAuth20DefaultAccessTokenResponseGeneratorTests extends AbstractOAuth20Tests {
    OAuth20DefaultAccessTokenResponseGeneratorTests() {
    }

    @BeforeEach
    public void initialize() {
        clearAllServices();
    }

    @Test
    void verifyAccessTokenAsDefault() throws Throwable {
        OAuthRegisteredService registeredService = getRegisteredService("example", "secret", new LinkedHashSet());
        registeredService.setJwtAccessToken(false);
        this.servicesManager.save(registeredService);
        Map model = generateAccessTokenResponseAndGetModelAndView(registeredService).getModel();
        Assertions.assertTrue(model.containsKey("access_token"));
        Assertions.assertTrue(model.containsKey("expires_in"));
        Assertions.assertTrue(model.containsKey("scope"));
        Assertions.assertTrue(model.containsKey("token_type"));
        Assertions.assertThrows(ParseException.class, () -> {
            JWTParser.parse(model.get("access_token").toString());
        });
    }

    @Test
    void verifyAccessTokenAsJwt() throws Throwable {
        OAuthRegisteredService registeredService = getRegisteredService("example", "secret", new LinkedHashSet());
        registeredService.setJwtAccessToken(true);
        this.servicesManager.save(registeredService);
        ModelAndView generateAccessTokenResponseAndGetModelAndView = generateAccessTokenResponseAndGetModelAndView(registeredService);
        Assertions.assertTrue(generateAccessTokenResponseAndGetModelAndView.getModel().containsKey("access_token"));
        Assertions.assertNotNull(JWTParser.parse(generateAccessTokenResponseAndGetModelAndView.getModel().get("access_token").toString()));
    }

    @Test
    void verifyDPoPAccessTokenAsJwt() throws Throwable {
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(HttpMethod.GET.name(), "/oauth2.0/accessToken");
        OAuthRegisteredService registeredService = getRegisteredService("example", UUID.randomUUID().toString(), "secret");
        this.servicesManager.save(registeredService);
        SignedJWT createDPoPJWT = new DefaultDPoPProofFactory(new ECKeyGenerator(Curve.P_256).keyID("1").generate(), JWSAlgorithm.ES256).createDPoPJWT("POST", new URI(mockHttpServletRequest.getRequestURL().toString()));
        ModelAndView generateAccessTokenResponseAndGetModelAndView = generateAccessTokenResponseAndGetModelAndView(registeredService, CoreAuthenticationTestUtils.getAuthentication(AbstractOAuth20Tests.ID, Map.of("DPoP", List.of(createDPoPJWT.serialize()), "DPoPConfirmation", List.of(new DPoPTokenRequestVerifier(Set.of(JWSAlgorithm.ES256), new URI(mockHttpServletRequest.getRequestURL().toString()), 30L, (SingleUseChecker) null).verify(new DPoPIssuer(new ClientID(registeredService.getClientId())), createDPoPJWT, (Nonce) null).getValue().toString()))), OAuth20GrantTypes.AUTHORIZATION_CODE, mockHttpServletRequest);
        Assertions.assertTrue(generateAccessTokenResponseAndGetModelAndView.getModel().containsKey("access_token"));
        Assertions.assertTrue(generateAccessTokenResponseAndGetModelAndView.getModel().containsKey("token_type"));
        Assertions.assertEquals("DPoP", generateAccessTokenResponseAndGetModelAndView.getModel().get("token_type"));
        Assertions.assertNotNull(JWTParser.parse(generateAccessTokenResponseAndGetModelAndView.getModel().get("access_token").toString()));
    }

    @Test
    void verifyAccessTokenAsJwtPerService() throws Throwable {
        OAuthRegisteredService registeredService = getRegisteredService("example", "secret", new LinkedHashSet());
        registeredService.setJwtAccessToken(true);
        DefaultRegisteredServiceProperty defaultRegisteredServiceProperty = new DefaultRegisteredServiceProperty();
        defaultRegisteredServiceProperty.addValue("pR3Vizkn5FSY5xCg84cIS4m-b6jomamZD68C8ash-TlNmgGPcoLgbgquxHPoi24tRmGpqHgM4mEykctcQzZ-Xg");
        registeredService.getProperties().put(RegisteredServiceProperty.RegisteredServiceProperties.ACCESS_TOKEN_AS_JWT_SIGNING_KEY.getPropertyName(), defaultRegisteredServiceProperty);
        DefaultRegisteredServiceProperty defaultRegisteredServiceProperty2 = new DefaultRegisteredServiceProperty();
        defaultRegisteredServiceProperty2.addValue("0KVXaN-nlXafRUwgsr3H_l6hkufY7lzoTy7OVI5pN0E");
        registeredService.getProperties().put(RegisteredServiceProperty.RegisteredServiceProperties.ACCESS_TOKEN_AS_JWT_ENCRYPTION_KEY.getPropertyName(), defaultRegisteredServiceProperty2);
        this.servicesManager.save(registeredService);
        ModelAndView generateAccessTokenResponseAndGetModelAndView = generateAccessTokenResponseAndGetModelAndView(registeredService);
        Assertions.assertTrue(generateAccessTokenResponseAndGetModelAndView.getModel().containsKey("access_token"));
        Assertions.assertNotNull(JWTParser.parse(generateAccessTokenResponseAndGetModelAndView.getModel().get("access_token").toString()));
    }
}
